MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59c95c7e7882d8eafd5314cda19c7fd39a25da55f7ea6109025693a17d5ec6f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	59c95c7e7882d8eafd5314cda19c7fd39a25da55f7ea6109025693a17d5ec6f7
SHA3-384 hash:	41d65c88eb3565bfd71db6cb58177a86ef5d975c62c45292c4d467963ba53985a76131d9f9a76aad6e933b6e09e587c9
SHA1 hash:	528497fc0ab6bc410fb971e4558f56fb370036ea
MD5 hash:	85c078ec708786cf1bdb44465afd8eeb
humanhash:	lion-undress-finch-lactose
File name:	Payment Receipt.exe
Download:	download sample
Signature	NetWire Create hunting rule
File size:	841'728 bytes
First seen:	2022-08-04 13:52:57 UTC
Last seen:	2022-08-04 15:20:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:XhvdgbYEc/quWiSNcfEgn9q6eO7cGPqDL1Kgqv5TSEtuS:ZdAYTe1cH9q6cGSgv52E
Threatray	1'226 similar samples on MalwareBazaar
TLSH	T146059E0133D57A14D27A4F7549E2D0708BB7EE279836E2EE2CC83E4FB776A148512726
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	GovCERT_CH
Tags:	exe NetWire

Intelligence

File Origin

# of uploads :

# of downloads :

547

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

netwire

ID:

File name:

Payment Receipt.exe

Verdict:

Malicious activity

Analysis date:

2022-08-04 13:53:26 UTC

Tags:

trojan rat netwire

Link:

https://app.any.run/tasks/f1fe5da7-bf31-4de9-863f-4aa6ff4f6645

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/296493/

Detection(s):

SecuriteInfo.com.Variant.MSILHeracles.40855.26827.13452.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Unauthorized injection to a recently created process

Creating a file

Sending a TCP request to an infection source

Enabling autorun by creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62ebcf875c07b66577f9493a/reports/13920ead-5109-4597-ad2d-597ac6e7d087/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/ff3781b4-1746-4202-a364-dd2a4621ec36

Result

Threat name:

NetWire

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1046311

Signature

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected NetWire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/59c95c7e7882d8eafd5314cda19c7fd39a25da55f7ea6109025693a17d5ec6f7/

Threat name:

ByteCode-MSIL.Spyware.SnakeLogger

Status:

Malicious

First seen:

2022-08-04 13:53:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=lhevy7tyqlmov7ktctg2dhd72onclwsv67vgccick2j2c7k6y33q._file

Verdict:

malicious

Label(s):

netwirerc

NetWire

7d43cddf5679f4233ebf701f89050ec267f892165a4c34084ad65963af7ebc36

NetWire

8d30b1713bdbee571ed08365e29d34de1fd0d152a9d816a1e315d92b384f94e9

NetWire

9a558d058307b8c1ef997ef5aa803d4e1f91b94c3c4df9bf038c4b445713a37c

NetWire

9d9f53c7d4040936c0ce96e3a93c551e3f0823eb2b10f72f5a7def2881be346b

NetWire

d2723a5c5c192b80edf6e6ed6d033cd1f916ad9bffefed86ebd6120499c4a058

NetWire

+ 1'216 additional samples on MalwareBazaar

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer

Link:

https://tria.ge/reports/220804-q6ywhsgfal/

Behaviour

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

NetWire RAT payload

Netwire

Malware Config

C2 Extraction:

185.140.53.61:3363
185.140.53.61:3365

Unpacked files

SH256 hash:

7a6b6e2c69b35f3b96411b5ef97312afe2658d439ba933f85e2ba438794a03aa

MD5 hash:

ba0ce8c8f5811281548b3fe143fabfb9

SHA1 hash:

fdf3a6665d81af7c53442897e3c5ed199284748f

Link:

https://www.unpac.me/results/0b5ac855-fa51-4384-87e6-7d8bb76f6ee4/

SH256 hash:

5e97ccd8dafcb36b3cb772f6a2fd425abcf221ab9ea1930e8c2618c95332f2c6

MD5 hash:

01800f6b045def8d90c649842f56d752

SHA1 hash:

f8434a4636d0772d01aac44bb3f9753a41f01d34

Link:

https://www.unpac.me/results/0b5ac855-fa51-4384-87e6-7d8bb76f6ee4/

SH256 hash:

b5be3a13a15fc4e760c824e5f82a4a73db1adee9f8fcbb29d197f4f04727edb4

MD5 hash:

54d3f3d2a72a302ddd014c9769922f88

SHA1 hash:

b083aae8204f319ab80cc40d1d20ecdacb13954b

Detections:

win_netwire_g1

win_netwire_auto

Link:

https://www.unpac.me/results/0b5ac855-fa51-4384-87e6-7d8bb76f6ee4/

Parent samples :

8d30b1713bdbee571ed08365e29d34de1fd0d152a9d816a1e315d92b384f94e9
59c95c7e7882d8eafd5314cda19c7fd39a25da55f7ea6109025693a17d5ec6f7
6ace19befa598ac3913865abf5fea0eac3d66b77425a9700274094d58b50630f
6ad8db92a404b43169c0a93eea5f957867b6c2b10067fbf081192d9c25c3687c
cdee2421636a518cb027f5670691b8f879676a67516d7fb525432ca74efe6bee
e29897654f6d41445ee402a68379f5b87519d4c62528ee1267f65002672ebd26

SH256 hash:

59c95c7e7882d8eafd5314cda19c7fd39a25da55f7ea6109025693a17d5ec6f7

MD5 hash:

85c078ec708786cf1bdb44465afd8eeb

SHA1 hash:

528497fc0ab6bc410fb971e4558f56fb370036ea

Link:

https://www.unpac.me/results/0b5ac855-fa51-4384-87e6-7d8bb76f6ee4/

Malware family:

Netwire

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/59c95c7e7882/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/59c95c7e7882d8eafd5314cda19c7fd39a25da55f7ea6109025693a17d5ec6f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

exe 59c95c7e7882d8eafd5314cda19c7fd39a25da55f7ea6109025693a17d5ec6f7

(this sample)

Dropped by

netwire

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/296493/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample